poky/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch - openbmc/openbmc - Gitiles

 CVE: CVE-2018-20124
 Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373]

 Backport patch to fix CVE-2018-20124. Update context and stay with current
 function comp_handler() which has been replaced with complete_work() in latest
 git repo.

 Signed-off-by: Kai Kang <kai.kang@windriver.com>

 From 0e68373cc2b3a063ce067bc0cc3edaf370752890 Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Thu, 13 Dec 2018 01:00:34 +0530
 Subject: [PATCH] rdma: check num_sge does not exceed MAX_SGE

 rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
 to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
 with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
 Add check to avoid it.

 Reported-by: Saar Amar <saaramar5@gmail.com>
 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
 Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
 Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
 ---
  hw/rdma/rdma_backend.c | 12 ++++++------
  1 file changed, 6 insertions(+), 6 deletions(-)

 diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
 index d7a4bbd9..7f8028f8 100644
 --- a/hw/rdma/rdma_backend.c
 +++ b/hw/rdma/rdma_backend.c
 @@ -311,9 +311,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
      }

      pr_dbg("num_sge=%d\n", num_sge);
 -    if (!num_sge) {
 -        pr_dbg("num_sge=0\n");
 -        comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
 +    if (!num_sge || num_sge > MAX_SGE) {
 +        pr_dbg("invalid num_sge=%d\n", num_sge);
 +        comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
          return;
      }

 @@ -390,9 +390,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
      }

      pr_dbg("num_sge=%d\n", num_sge);
 -    if (!num_sge) {
 -        pr_dbg("num_sge=0\n");
 -        comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
 +    if (!num_sge || num_sge > MAX_SGE) {
 +        pr_dbg("invalid num_sge=%d\n", num_sge);
 +        comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
          return;
      }

 --
 2.20.1
	CVE: CVE-2018-20124
	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373]

	Backport patch to fix CVE-2018-20124. Update context and stay with current
	function comp_handler() which has been replaced with complete_work() in latest
	git repo.

	Signed-off-by: Kai Kang <kai.kang@windriver.com>

	From 0e68373cc2b3a063ce067bc0cc3edaf370752890 Mon Sep 17 00:00:00 2001
	From: Prasad J Pandit <pjp@fedoraproject.org>
	Date: Thu, 13 Dec 2018 01:00:34 +0530
	Subject: [PATCH] rdma: check num_sge does not exceed MAX_SGE

	rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
	to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
	with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
	Add check to avoid it.

	Reported-by: Saar Amar <saaramar5@gmail.com>
	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
	Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
	Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
	---
	hw/rdma/rdma_backend.c \| 12 ++++++------
	1 file changed, 6 insertions(+), 6 deletions(-)

	diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
	index d7a4bbd9..7f8028f8 100644
	--- a/hw/rdma/rdma_backend.c
	+++ b/hw/rdma/rdma_backend.c
	@@ -311,9 +311,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
	}

	pr_dbg("num_sge=%d\n", num_sge);
	- if (!num_sge) {
	- pr_dbg("num_sge=0\n");
	- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
	+ if (!num_sge \|\| num_sge > MAX_SGE) {
	+ pr_dbg("invalid num_sge=%d\n", num_sge);
	+ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
	return;
	}

	@@ -390,9 +390,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
	}

	pr_dbg("num_sge=%d\n", num_sge);
	- if (!num_sge) {
	- pr_dbg("num_sge=0\n");
	- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
	+ if (!num_sge \|\| num_sge > MAX_SGE) {
	+ pr_dbg("invalid num_sge=%d\n", num_sge);
	+ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
	return;
	}

	--
	2.20.1